AN HTTPd Sample Script File Truncation

2003-04-23T00:00:00
ID SECURITYVULNS:DOC:4425
Type securityvulns
Reporter Securityvulns
Modified 2003-04-23T00:00:00

Description

Product Description

AN HTTPd is a relatively small, powerful web server designed for Windows systems. It supports ISAPI, CGI, SSI, and several other powerful technologies (such as isolated worker processes) usually only seen in production servers. More information on AN HTTPd is available at http://www.st.rim.or.jp/~nakata/

Vulnerability Description

AN HTTPd (1.42h and prior) ships with several sample scripts demonstrating various interpreters the server is capable of using. One of these, "count.pl", is deployed in the "/isapi" virtual directory. It takes the query string as part of a file path, which it uses as a page counter. AN HTTPd does not check for directory traversals, and also does not prevent non-numeric data from being used as counters.

Issuing the following request: http://www.somesite.com/isapi/count.pl?../../../../../../../../../../../../. ./../../../../../../../../../ctr.dll

Will place "ctr.dll" in the root of C: with a "1" as its contents. This same trick also works on writable files that already exist. An effective patch for this vulnerability is to issue the following request:

http://www.somesite.com/isapi/count.pl?count.pl

This will destroy the vulnerable component, preventing further exploitation. Be nice, kiddies :-D

Some nastier stuff:

http://www.somesite.com/isapi/count.pl?../../../../../../../../../../../../. ./../../../../../../../../../windows/system32/calc.exe

You get the idea...

Impact

Attackers can overwrite any file that the CGI user can access (this userid is SYSTEM by default if running as a service, or the user running the binary if in GUI mode -- usually an administrator). Contents of the destroyed files cannot be sufficiently controlled to allow for exploitation in most cases, as the file is replaced with numeric data.

Solution

Remove this crappy sample script, and write a web counter that uses centralized configuration. The exploit shown above will remove this file from a vulnerable system.